Back to Articles

A Guide to Email Security for Domain Owners

By Daniel Cid (@dcid) Posted in: email-security, dns

Email is the easiest brand channel to impersonate. As a domain owner, your job is to make it hard for attackers to spoof your From: address and to give receiving mail servers strong signals to trust your legitimate messages. This guide walks through the core controls—SPF, DKIM, DMARC—plus transport and reporting standards (MTA-STS, TLS-RPT) and a visual trust layer (BIMI).

Goals

  • Stop spoofing and reduce phishing sent “from” your domain.
  • Preserve deliverability for legitimate providers (your own SMTP, SaaS mailers, support tools, CRM).
  • Gain visibility with aggregate and forensic reports to tune policies safely.

1) SPF — Authorize Senders by IP/Domain

SPF (Sender Policy Framework) is a DNS TXT record listing the hosts allowed to send mail for your domain. Receivers check the connecting IP against this list. 

Type: TXT
Name: @
Value: v=spf1 ip4:203.0.113.10 include:_spf.google.com include:sendgrid.net ~all
  • ip4:/ip6: your outbound mail server(s).
  • include: authorized third-party senders (e.g., Google Workspace, SendGrid, Mailgun).
  • End with ~all (softfail) while testing; move to -all (fail) once confident.

Tip: Keep SPF < 255 chars per string; use multiple strings if needed and mind the 10-lookup limit.

2) DKIM — Sign Mail with a Private Key

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to each message. Receivers fetch the public key from DNS and verify the signature. 

Type: TXT
Name: selector1._domainkey
Value: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0B...QIDAQAB
  • Selector (e.g., selector1) lets you rotate keys without downtime.
  • Publish p= with your public key; keep the private key in your MTA or email provider.
  • Sign the same header domain you show users (helps DMARC alignment).

3) DMARC — Policy, Alignment, and Reporting

DMARC tells receivers what to do when SPF/DKIM fail or don’t align with the visible From: domain. It also sends you reports so you can tune safely. 

Type: TXT
Name: _dmarc
Value: v=DMARC1; p=none; rua=mailto:dmarc-agg@yourdomain.com; ruf=mailto:dmarc-forensic@yourdomain.com;
 adkim=s; aspf=s; fo=1; pct=100
  • p=none to start (monitor only). Later: quarantine then reject.
  • rua aggregate (XML) reports; ruf optional forensic samples (PII caution).
  • aspf/adkim strict (s) for strong alignment or relaxed (r).
  • pct can phase in enforcement (e.g., pct=25pct=100).
Alignment matters: For DMARC to pass, either SPF or DKIM must pass and the domain they authenticate (MAIL FROM for SPF, d= for DKIM) must align with the visible From: domain (per aspf/adkim).

4) MTA-STS — Enforce TLS for SMTP

MTA-STS lets you require TLS for mail delivery to your domain, preventing downgrade (STARTTLS stripping) attacks.

  1. Publish the policy via DNS: 
    Type: TXT
Name: _mta-sts
Value: v=STSv1; id=20240116
  2. Serve the policy via HTTPS (must be on mta-sts.yourdomain.com): 
    GET https://mta-sts.yourdomain.com/.well-known/mta-sts.txt

version: STSv1
mode: enforce
mx: mail.yourdomain.com
max_age: 86400

5) TLS-RPT — Receive TLS Failure Reports

TLS-RPT sends you JSON reports from receivers about TLS delivery issues. 

Type: TXT
Name: _smtp._tls
Value: v=TLSRPTv1; rua=mailto:tls-rpt@yourdomain.com

6) BIMI — Display Your Logo in Supporting Inboxes

BIMI shows your verified logo when you have strong DMARC enforcement (usually p=quarantine at 100% or p=reject). 

Type: TXT
Name: default._bimi
Value: v=BIMI1; l=https://yourdomain.com/bimi/brand.svg; a=https://yourdomain.com/bimi/vmc.pem
  • l= SVG Tiny-PS logo; a= optional Verified Mark Certificate (required by some providers).

Rollout Plan (Safest Path)

  1. Inventory senders. List every service that sends mail for your domain (product, marketing, support, CRM, billing).
  2. Publish SPF (softfail). Add includes for each provider; watch lookups (≤10) and keep it tidy.
  3. Enable DKIM everywhere. Generate per-provider keys; rotate with new selectors.
  4. Deploy DMARC at p=none. Collect rua reports; validate alignment across providers.
  5. Fix alignment issues. Adjust From: domains, set custom DKIM domains, or route through authorized MTAs.
  6. Move to enforcement. p=quarantine; pct=25pct=100p=reject when confident.
  7. Add MTA-STS & TLS-RPT. Enforce TLS and monitor failures.
  8. Optional: BIMI. After DMARC enforcement, publish BIMI records and VMC if required.

Testing & Troubleshooting

SPF lookups (mind the 10-lookup limit):

dig +short TXT yourdomain.com

DKIM DNS (replace selector):

dig +short TXT selector1._domainkey.yourdomain.com

DMARC DNS:

dig +short TXT _dmarc.yourdomain.com

MTA-STS fetch:

curl -s https://mta-sts.yourdomain.com/.well-known/mta-sts.txt

TLS to MX (verify STARTTLS):

openssl s_client -starttls smtp -crlf -connect mail.yourdomain.com:25

Common Pitfalls

  • SPF “permerror” due to too many DNS lookups or nested include:s.
  • DKIM selectors published but provider not actually signing mail.
  • DMARC alignment failing because marketing tools use a different visible From: domain.
  • MTA-STS policy served on the wrong host or with invalid TLS cert.
  • Rolling to p=reject before all legitimate senders are covered.
Tip: Use a DMARC report viewer to aggregate rua XML across receivers. It simplifies spotting misconfigured senders and alignment gaps.

With these building blocks in place—and a cautious rollout—you’ll dramatically reduce spoofing risk, strengthen brand trust, and improve delivery rates for legitimate mail.

NOC — Authoritative DNS, CDN & WAF

Accelerate and protect your sites with global DNS, edge caching, and an always-on web application firewall.

See Plans